Although the Internet has had great successes in facilitating communications between computer systems and enabling electronic commerce, the computer systems connected to the Internet have been under almost constant attack by hackers seeking to disrupt their operation. Many of the attacks seek to exploit vulnerabilities of the application programs, operating systems, and other computer programs executing on those computer systems. One of the most destructive methods of attacking a computer system has been to infect the computer system with software that is designed specifically to damage or disrupt the computer system. Such software is referred to as “malware” because of its malicious nature. When malware invades a computer system, the integrity of the computer system is greatly compromised. Malware includes computer worms, viruses, Trojan horses, spyware, and so forth. Some malware behave nefariously, such as by illicitly collecting and transmitting personal information. Some malware can hijack resources needed by operating system components or use these resources to subvert the security of the operating system. For example, such malware can cause an unprotected network resource to open a TCP/IP port that allows a third party to access the operating system's resources.
One common type of malware acquires computer systems—i.e., targets—in order to propagate itself using the acquired computer systems. For example, the malware could be a worm that launches a self-propagating attack that exploits a vulnerability of a computer system by taking control and using that computer system to find other computer systems with the same vulnerability and launch attacks (i.e., sending the same worm) against them. One such worm is an Internet-scanning worm that generates and scans IP addresses in order to find vulnerable victims.
Various techniques have been developed and used to help detect the presence of such malware; unfortunately, detection of some malware has proved to be difficult. One technique attempts to set a trap, or “honeypot,” to detect the unauthorized use of network resources. For example, unused IP address space, such as a subnet, on the Internet can be set up as one or more honeypots in order to detect Internet worm activity. The computer systems that are set up as the honeypots at these addresses will not be providing any real services other than to record the activities of the invader. These honeypots are designed to wait for and detect unauthorized use of the IP addresses. The theory behind creating honeypots is that a worm that is scanning IP addresses is going to stumble across the honeypot and become detected. However, the effectiveness of such honeypots and similar detection technologies depends, in large part, on the worm blindly attempting to connect to multiple IP addresses. As the creators of these worms become more sophisticated in their methods of acquiring targets, these honeypots are becoming increasingly less successful at detecting these sophisticated worms.